Hong Kong privacy regulator urged a paradigm shift from compliance to accountability

17 March 2014

Background

1. The Office of the Privacy Commissioner for Personal Data, Hong Kong (the "PCPD") released the Privacy Management Programme – A Best Practice Guide (the "Guide") in February 2014. The Guide provides a framework and guidance for organisations to implement a Privacy Management Programme ("PMP") to protect personal data privacy.

2. While a PMP is not strictly required under the Personal Data (Privacy) Ordinance and the Guide specifically states that it is not a Code of Practice or a Guidance Note, a PMP is said to provide an effective way for organisations to guarantee compliance.

3. The Guide stipulates the key components of a PMP:

● Organisational commitment to cultivate a privacy respectful culture – Top management is requested to support the PMP and the appointment of a data protection officer; and some form of internal assurance mechanism should be put in place.

● Programme controls to ensure implementation of the governance structure– Organisations are expected to be clear about the kinds of personal data they hold, and develop privacy policies, risk management tools and staff training programmes to handle data breach and manage data processors.

● An oversight and review plan to establish performance measures and set out when the PMP will be reviewed.

● Continuous assessment and revision of programme controls to ensure effectiveness of the PMP.

Significance of the Guide

4. Organisations are asked to consider their particularities and exercise judgment in setting up suitable PMP.

5. The Guide signifies that the Hong Kong data privacy protection regime is maturing to the next level.

6. Public awareness of data privacy protection has grown over the years locally. In 2013, the PCPD received a total of 24,161 enquires, representing an increase of 27% compared with 2012. A total of 1,792 complaints were received by the PCPD, which shows an increase of 48% compared with 2012. The number of the public attending PCPD's training seminars has grown 28% in 2013.

7. The PCPD is expecting organisations to commit to protecting data privacy voluntarily, instead of merely doing the least required for compliance. Organisations are encouraged to inspire confidence from customers by enhancing data privacy accountability.

8. In fact, the PCPD has announced that one of its strategic focuses in 2014 would be to promote the need for organisations to "embrace privacy and data protection as part of their corporate governance responsibilities and adopt holistic privacy management programmes".